Random IE popups & audio ads, also trojan alerts

I recently started to randomly get Internet Explorer popup advertisements, audio advertisements (with no window, just audio), and my antivirus comes up with alerts that trojans have tried to access (They go into quarantine)

I was not able to finish GMER (computer restarts), and was not able to save the results in safe mode due to the low resolution and not being able to access the save button. I ran Malwarebytes and it found nothing and symntec also found nothing. Generally speaking I am not able to find anything when I scan. I just get pop ups/audio and alerts.

Also, I did ctrl at delete to look at the programs running and there are multiple iexplore.exe programs running even though there is not. There is also clicking sounds like someone is clicking links when I'm not

Attached Files:

[1]. Do NOT rename Combofix unless instructed.
[2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3].Close any open browsers.
[4]. Double click combofix.exe & follow the prompts to run.

NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
[5]. If Combofix asks you to install Recovery Console, please allow it.
[6]. If Combofix asks you to update the program, always allow.

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall. Note: Make sure you re-enable your security programs, when you're done with Combofix..Re-enable your Antivirus software.

Do NOT reboot computer!
==================================
Are you running any disc emulation software? Examples would be DAEMON Tools, Virtual CD, Phantom Burner and Original CD Emulator. That can cause the logs to report an issue with your MBR files. If running remover.exe doesn't work again, I'll give instructions for disabling the emulation program.

I opened notepad again and pasted the information and saved as directed and opened the program.

Next I ran remover.exe and attached are the results.

I'm pretty sure that no disc emulation software is running bc this is my dad's computer and he just uses it for work, ie Outlook, etc. Is there a way to check if there is disc emulation software running?

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

I was looking at the other posts to try to see why it wasn't working and on your notepad copy/paste code there is a new line after START which wasn't in some other posts, so I removed the new line and ran it and attached the log. Thanks

Attached Files:

Thank you. Yes, somehow one of the slashes got left off. I fixed it 3 times yesterday then finally rewrote the whole thing: correct line should have been:remover.exe fix \\.\PhysicalDrive0

There are times though that even with correct code, it doesn't work the first time and had to be done again.

I will be out until after lunch. I will then go over everything you've done and determine where to go next. You are getting pop-ups ads, some with audio and they are in an Internet Explorer Windows- is that correct?

Yes, The pop-ups/audio ads only occur with Internet Explorer. There was a popup after I ran the fix.bat and there hasn't been any changes since we started and I've only ran the tests you've told me too.

I am having to retype the remover.exe line everytime I put the code in! Really weird that one of the slashed gets dropped! I'd like to run run a scan with HijackThis jsut to make sure there are no bad entries loading. I'll check that, then have you remove the cleaning tools we used:

Choose v2.0.4:
Download the HijackThis InstallerHERE and save to the desktop:

Double-click on HJTInstall.exe to run the program.

By default it will install to C:\Program Files\Trend Micro\HijackThis.

Accept the license agreement by clicking the "I Accept" button.

Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.

Click "Save log" to save the log file and then the log will open in notepad.

Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

I had script written for you to run in Combofix, but we got sidetracked with the Bootkit and I never gave it to you! But I want to make sure that you have kept Symantec as the antivirus. Is that correct?

One other question or verification: you have this entry in the Registry:[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck xmnt2002 /bat=c:\windows\TEMP\PQ_BATCH.PQB /win=c:\windows /dbg=c:\WINDOWS\TEMP\PQ_DEBUG.TXT /ver=262144 /prd=PartitionMagic\0autocheck autochk *

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad and copy/paste the text in the code below into it:

When finished, it will produce a log for you at C:\ComboFix.txt . .
====================
HijackThis log is okay. If problems have been resolved:Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

Go to Start > All Programs > Accessories > System Tools

Click "System Restore".

Choose "Create a Restore Point" on the first screen then click "Next".

Give the Restore Point a name> click "Create".

Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.